Mirth and Log4J

[dave-marks-nnuh]

Hi All,
I realise this is an old subject, but I'm told new exploits are being found for Log4J v1 as used in Mirth. I have searched around and seem to keep coming back to the start. I have a couple of questions.

Does anyone have any idea when Mirth is likely to be upgraded to use the new libraries? Most answers I've found just say "it's on the list". An approximate date would be really helpful.

Is there any easy way of utilising Log4J V2 within Mirth? I've seen reponses that mention rebuilding the source etc, but this is not really an option for us. Our current version of Mirth is v3.12.0

Many thanks in advance.

[jonbartels]

I have searched around and seem to keep coming back to the start.

Please share what you did find already. This helps get better answers to your specific questions if we can see what you already found. This also helps the next person with a similar question see your work and helps the community!

https://github.com/nextgenhealthcare/connect/search?q=log4j&type=discussions, particularly 4892, covers this well. You're not alone in this concern.

I'm told new exploits are being found for Log4J v1 as used in Mirth

Again, showing the specific CVEs can help motivate NextGen to upgrade or patch Log4J. It can also help other users apply workarounds. Specifically, if there's a new one I haven't noticed hearing it from you will help me! :P

Does anyone have any idea when Mirth is likely to be upgraded to use the new libraries? Most answers I've found just say "it's on the list". An approximate date would be really helpful.

The monthly developer webinar is a good place to hear about or raise these questions.

Shifting back to engineering - I wanted to highlight this comment from Chris: #4892 (reply in thread) . He covers what Log4J 1.x is at risk for and how to mitigate it.